REGULATORY AUDITING OF QUALITY MANAGEMENT SYSTEMS

(QMS) AND AUDITING PROCESS

1. Introduction

1.1 The purpose of this document is to be used as “Guidelines for Quality

Management Systems and Auditing Procedures for regulatory auditing of quality
systems of medical device manufacturers based on the process approach of standard
of ISO 13485:2003. The audit strategy can be seen as guidance on how to audit the
effectiveness of quality systems in a systematic and effective manner within a
reasonable time. This includes the fulfillment of regulatory requirements of medical
device manufacturers. The main aim of the guidance is to promote audit consistency a
necessity for harmonization and mutual recognition of audit results.

1.2 Benefits for the regulators include:

i) Improved auditing, leading to improved quality systems and product quality
ii) Achievement of greater consistency in regulatory audits both among auditors within
a regulatory organization and between regulatory organizations
iii) Promotion of greater collaboration between regulators in regard to regulatory audits
iv) Increased confidence in audits performed by a regulatory organization and
acceptance of those audits by other regulators
v) Saving of resources

1.3 Benefits for the manufacturers of medical devices include:

i) Improved auditing, leading to improved quality systems and product quality
ii) Achievement of greater consistency in regulatory audits
iii) Saving resources through easier preparation for regulatory audits
iv) Reducing the number of times a single manufacturer undergoes audits by different
regulatory bodies
v) Increased confidence in and acceptability of audits by other regulators
1.4 Beneficiaries also include the users of medical devices and patients, who can
have high degree of assurance that medical devices placed on the market will be safe
and effective.

2. Scope

2.1 This document is intended to be used by regulatory auditing organizations and

auditors as a guide for conducting medical device quality systems audits based on the
process approach to the standard of ISO 13485:2003.
2.2 Additional regulatory requirements and guidance will need to be considered,
depending on the regulatory authorities who will receive and use the audit report. This
guidance document applies to initial audits and to surveillance audits.

3. Reference

ISO 13485:2003: Quality Systems – Medical Devices Requirements for regulatory

purposes
GHTF/SG4/N28R2: Guidelines for Regulatory Auditing of Quality Systems of Medical
Device Manufacturers – Part 1: General Requirements (1999)
GHTF/SG4/N30R6: Guidelines for Regulatory Auditing of Quality Systems of Medical
Device Manufacturers - Part 2: Regulatory Auditing Strategy (proposed document)
GHTF/SG1/N011R17: Summary Technical Documentation for Demonstrating
Conformity to the Essential Principles of Safety and Performance of Medical Devices
(STED)
ISO 19011:2002: Guidelines for quality and/or environmental management systems
auditing
ISO/TC 210/WG1 N62: ISO/TR 14969:200X Guidance on the Application of ISO
13485:2003
ISO/IEC Guide 62: 1996(E) General requirements for bodies operating assessment and
certification/registration of quality systems.
International Electrotechnical Commission.
ISO 14971:2000 “Medical devices application of risk management to medical devices”

4. Definitions

“Audit” means systematic independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which the audit criteria
are fulfilled. ISO 19011:2002
Note: For the purpose of these guidelines, “audit” means a regulatory audit.

“Regulatory audit” means the audit of a quality system is to demonstrate conformity with
a quality system standard and the relevant regulatory requirements.

“Audit criteria” means set of policies, procedures or requirements. ISO 19011:2002

“Audit evidence” means records, statements of fact or other information, which are
relevant to the audit criteria and verifiable. ISO 19011:2002
Note: Audit evidence may be qualitative and/or quantitative and is used to substantiate
audit observations

“Technical files” means documentation required to assess conformity of the medical

device with the regulations.
See attached document of GHTF/SG 1”STED, Summary Technical Documentation”,
proposed document SG1/N011R17 of 2002.

“Medical device” is defined in the national and regional regulations listed in Appendix 4
and the GHTF document SG 4/N28 R2: “Guidelines for Regulatory Auditing of quality
Systems of Medical Device Manufacturers – Part 1: General Requirements”.

“Process” means set of interrelated or interacting activities which transforms inputs into
outputs
“Regulatory requirement” means any part of a law, ordinance, decree or other
regulation, which applies to quality systems of medical device manufacturers.
Note: Guidelines, notes, draft documents, or the like should not be used as regulatory
documents and are not to be construed as such unless formally promulgated.

5. General Remarks on Regulatory Auditing Strategy

Conducting the regulatory audit, the quality management system of a medical device
manufacturer based on ISO 13485:2003: “Quality systems – Medical devices System
requirements for regulatory purposes” is checked with regard to conformity with the
quality system requirements and compliance with the relevant regulatory requirements.

5.1. Objectives of a Regulatory Audit

i) Based on the definition of a regulatory audit the auditing organization determines
during a regulatory audit the compliance of the auditee’s quality system with the
relevant regulatory requirements. The audit checks how quality problems associated
with a medical device or the quality system are recognized and settled.
ii) The audit should be planned and conducted in such a way that the following
objectives are reached:
The effectiveness of the manufacturer’s quality system including the fulfillment of
regulatory requirements is measured and monitored in a systematic and effective
manner within a reasonable time.
The regulatory audit is process-oriented. The application of a system of processes
within an organization, together with the identification and interactions of these
processes, and their management, can be referred to as the “process approach”.
Therefore, the audit should preferably follow the workflow processes of the medical
device manufacturer.
The regulatory audit is risk-based with a focus on key processes of the quality system
necessary to manufacture the medical devices. In other words the auditor should
concentrate on factors that are most likely to affect patient safety.
The audit is transparent to the auditee.
The audit process and results are similar regardless of which auditing organization or
individual auditors conduct the audit, with an ultimate goal for harmonization and mutual
recognition of audit results.

5.2. Auditing Quality Management Systems and Subsystems

i) Rather than focusing on the individual requirements of the standard, an audit should
focus on the overall effectiveness of the quality management system. To break the audit
into more manageable parts, key activities or subsystems have been identified. The
guide for auditing process is shown in Appendix 4.
ii) The subsystems and associated clauses of ISO 13485:2003 are:

Subsystem Clauses and secondary clauses (linkages) of ISO 13485:2003

1. Management 4, 5, 6, 8
2. Design and development 7
3. Technical files 4, 7
4. Production Processes 6, 7, 8
5. Corrective and preventive actions 4, 5, 6, 7, 8
6. Purchasing controls 7
7. Documentation and records 2, 4
8. Customer requirements 7, 8
Appendix 5: Sterilization Process 7, 8
Table 1: Subsystems and associated clauses (More detailed references to clauses and
sub-clauses of ISO 13485:2003 are given in Chapter 6.0 Auditing Subsystems)

iii) The key subsystems for addressing quality are the subsystems 1 to 5 identified in
Table 1. These should receive the primary focus of the audit. It may be appropriate to
treat the other subsystems as key subsystems in some situations. Examples for the
subsystem purchasing controls include:
A “virtual” Manufacturer who− contracts essential activities such as design and
production
A Manufacturer who contracts a sterilization process, or
A Manufacturer of high risk medical devices who purchases significant components
and subassemblies.
7.5.3 Auditing Approaches
i) There are different approaches to conducting a regulatory audit:

The “top-down” approach for conducting a regulatory audit begins with an evaluation
of the structure of the quality management system and its subsystems: management,
design control, technical files, production processes, and corrective and preventive
actions. Selected subsystems are reviewed to determine whether the manufacturer has
addressed the basic requirements by defining and documenting appropriate
procedures. It is important to check that a process approach is applied both in the
quality system and in each subsystem, e.g. by using a PDCA cycle (see Chapter 5.4).
With the “top-down” approach, the auditor will first confirm that the manufacturer has
established appropriate procedures and policies. Then the auditor will review evidence
including records to verify whether the manufacturer is implementing the procedures
and policies effectively and the quality system is in conformity with regulatory
requirements.
The advantage of this approach is a uniform approach for a systematic and transparent
regulatory audit process – both for the regulatory sides and the manufacturer.

The “bottom-up“ approach for a regulatory audit can have as a starting point a quality
problem; e.g., a medical device report of an adverse event or nonconforming product.
Thus, the auditor starts at the bottom and works his way through the manufacturer’s
quality system up to the management responsibility.
The advantage of this approach is a quick insight on the effectiveness of the selected
subsystems and processes that have been affected by the specific quality problem and
the cause(s) of the quality problem. The disadvantage of this approach is that it is very
difficult for the auditor to determine how effectively the complete quality system works.

A third alternative is a combination of these two approaches. The auditor starts by

reviewing the top layer of the quality system (top-down); then audits some aspects of
the implementation of the system (e.g., the production process) and finally the auditor
verifies that the relevant procedures are being used (bottom-up). The advantage of the
combination approach is that it is often quicker to audit than using either the top-down
or bottom-up approach. The combination approach also offers more flexibility in
identifying the cause(s) of specific problems while assessing the effectiveness of the
quality management system.

ii) Depending on the purpose and trigger of an audit, an appropriate approach should
be selected. If there are no special events to be covered during the audit , the top-down
approach is preferred. An initial audit will normally follow a top-down approach. Audits
which include a potential significant safety issue will normally follow a bottom-up
approach.

1.5.3 Process Based Auditing

Any effective quality management system (including the subsystems) works as a control
process, which has the ability to detect deviations and nonconforming products and
assures that the corrective and preventive action measures are effective. The regulatory
auditor should check that all subsystems and processes of the quality management
system are structured as self-regulating control processes. For example Deming’s
PDCA cycle demonstrates such a process with the following components:

i) Plan – Has the manufacturer established the objectives and processes to enable the
quality system to deliver the results in accordance with the regulatory requirements?
ii) Do – Has the manufacturer implemented the quality system and the processes?
iii) Check – Has the manufacturer checked process monitoring and measurement
results against the objectives and the regulatory requirements? Does the manufacturer
evaluate the effectiveness of the quality system periodically through internal audits and
management reviews?
iv) Act – Has the manufacturer implemented effective corrective and preventive
actions? Confirm that the company is committed to providing high quality safe and
effective medical devices, and that the company is conforming with applicable laws and
regulations.
These are generic questions that can be asked throughout the audit.

5.4. Sampling
In general there are two ways of sampling records for review which are useful in
regulatory audits risk based and statistical. Where possible, auditors should select
samples based on factors which are most likely to affect the safety of the patient. In this
situation sampling tables are not necessary. The auditor may however decide to select
a statistically valid sample. A sample can also be drawn using a combination of risk
based and statistical sampling.

5.5. Audit Planning

i) Further to the requirements given in the chapter 11 of GHTF Guidelines for
Regulatory Auditing of Quality Systems of Medical Device Manufacturers – Part 1:
General Requirements (SG4/N28R2), some more consideration should be given to the
following points:
Information from the Manufacturer
Estimation of audit duration, frequency and targeted on-site auditing time
Further points to consider are given in chapter 6.
Information required from the manufacturer
ii) In the planning phase, the following information should be requested from the
manufacturer to estimate the audit duration and to prepare the audit plan for Regulatory
Auditing of Quality Systems of Medical Device:
manufacturer's name, address
contact name, telephone, fax numbers and e-mail addresses
− total number of employees (all shifts) covered by the scope of the audit
− range and class of medical devices being manufactured
types of devices− sold and/or planned to be sold in the countries and/or regions for
which the regulatory requirements will be assessed, including a complete list of
authorizations (e.g. licenses) issued for those devices (where applicable)
location and function of each site to be included in the audit
a list of activities on each site
the involvement of any− special manufacturing processes, e.g. software, sterilization,
etc.
a list of the activities performed by subcontractors and their locations, including the
type of control that is exercised over those outsourced operations
any existing audit results from other auditing organizations e.g. from USA, Australia,
Europe, Canada, Japan.
do they install or service the medical devices produced
changes since the last audit, if applicable.
iii) Audit frequency
The audit frequency is dependent on the factors mentioned in Appendix 3, the
regulatory requirements and history of the Manufacturer.
iv) Audit duration
The audit duration has a significant effect on both regulatory agencies and industry. It is
dependent on factors such as the audit scope and specific regulatory requirements to
be assessed, as well on the range, class and complexity of devices, and the size and
complexity of the manufacturer. If not specifically mentioned, the considerations in this
section are applicable to initial, and surveillance audits.
v) Relation between audit frequency and audit duration
Audit duration depends on the audit frequency. In the following an annual audit
frequency is the baseline as reference in IAF Guidance on the Application of ISO/IEC
Guide 62. For more or less frequent audits, audit duration should be adapted
accordingly.
vi) Method of estimating audit duration
When auditing organizations are planning regulatory audits, sufficient time should be
allowed for the audit team to establish the conformity status of a medical device
manufacturer's quality system with respect to the relevant regulatory requirements. Any
additional time required to assess national or regional regulatory requirements must be
justified.
 The table from the IAF Guidance on the Application of ISO/IEC Guide 62 may be
used in order to establish a baseline initial audit duration for ISO 9000-series, measured
in auditor-days. As this table is not intended for the special needs of medical device
audits, additional time should be added for the requirements of ISO 13485:2003 and for
regulatory requirements. This document also provides guidance for other types of
activities, such as surveillance audits.

The baseline includes time to prepare for the audit, preview the quality system
documentation and write the report. It does not consider the time required for design
dossier reviews, type examinations, pre-market approvals and other similar activities.
The baseline for initial audits should be adjusted to take into account the other types of
audits and the factors listed in Appendix 1 which may increase or decrease the
estimated audit duration, but only if these factors are required by the applicable
regulations.
Targeted onsite auditing time
The targeted on-site time to complete the initial auditing of the subsystems should be
based on the following dates given in Table 2:

Subsystem Targeted time Remarks

Management 5-10 %
Design and development controls 0-20% Depends on regulatory requirements
Technical files 5-20%
Production processes 20-30 %
Corrective and preventive actions 10-30 %
Purchasing controls 5-20% More time for virtual manufacturers
Documentation and records 5%
Customer requirements 5%

Table 2: Targeted on-site auditing time

The targeted on site audit time for each subsystem will vary depending on factors
such as:

• the audit scope

• schedule changes
• the gathering of information from remote locations

5.6. Guidance for Logistics during an Audit

i) The following points should help the auditor in performing the audit in the most
appropriate way:
Does the manufacturer have changes (e.g. organization, quality system, facilities,
processes, products) to present during the opening meeting?
− Limit the disturbance of the CEO and Executive Management to a minimum and be
flexible in auditing Management Responsibility.
Follow up issues from last audit as soon as possible, to determine whether the
manufacturer has effectively implemented corrective actions.
Auditing the warehouse at− the beginning of an audit allows for the selection of
examples that can be followed up later on (e.g. nonconforming material, batch records,
etc.)
− Auditing traceability at an early stage of the audit allows the traceability path to be
followed either forward (e.g. simulated recall) or backwards, and gives the manufacturer
sufficient time to access relevant information or to carry out the necessary actions.
For surveillance audits focus either on design and administrative processes or on
production and related activities.
Internal audits, complaints, CAPA and management review should be covered at
every audit.
Auditing documentation and training at− the end of an audit allows for better follow-up
of the examples picked up during the audit.
The local situation may influence the sequence of audit and should be considered to
avoid wasting time.
Consideration to those points should be given, but the audit team is free to audit the
subsystems in any sequence appropriate.

5.7. Linkages
i) Although most of the auditor’s time will be spent on examining processes within the
sub-systems, it is important to remember that links exist between the sub-systems and
between different processes. Some of these links are less obvious than others, but
should be checked during the audit.
Examples: Link between corrective and preventive actions and management and
disseminating CAPA information to management for management review
ii) Design and development controls and purchasing controls: Design output used in
evaluating potential suppliers of components and assemblies and
communicating specified purchase requirement to that supplier.
iii) Within a process, the steps will normally be linked because the output from one
step will be the input to the next. During a process based audit, these links may be
picked up automatically by the auditor.
iv) There are also some obvious links between processes, e.g. the output from design
will be an input to production. These links need to be checked during both parts of the
audit (e.g. design and production) to verify that the link is working and the quality
system is working as a coherent whole.
v) There are other links which may be less obvious, but which still need to be audited,
e.g. if non-conforming product is seen in finished goods, did this problem originate in
stores, production, final inspection or design?
vi) There also are links between sub-systems, e.g. if faulty components arrive on the
production floor, was this caused by the supplier, receiving inspection, incorrect data to
the supplier or by design?
vii) In such instances, does the system require the manufacturer to always make a
CAPA report?

6. Auditing subsystems

There is a specific goal in auditing each subsystem. The plan for auditing each
subsystem should be process based (chapter 5.4) and should enable the goal to be
reached. This should include verifying conformance with the requirements which affect
each subsystem. For logistics see also chapter 5.7
Note 1: Numbers beneath each chapter refer to ISO 13485:2003
Note 2: Chapters marked with* are main subsystems and should receive a main focus
of the audit, if this is a regulatory requirement. See also chapter 5.2.

6.1. Management
GOAL: The purpose of the management subsystem audit is to evaluate whether top
management ensures that an adequate and effective quality system has been
established and maintained.
Major Steps: The following major steps serve as a guide in the audit of the
“Management“ subsystem:
i) ISO 13485:2003: 4.1, 4.2 – Verify that a quality manual, management review and
quality audit procedures, quality plan, and quality system procedures and instructions
have been defined and documented.
ii) ISO13485:2003: 5.3, 5.4 – Verify that a quality policy and objectives have been
defined and documented and steps taken to achieve them.
iii) ISO 13485:2003: 5.1, 5.5.1, 5.5.2, 6.1, 6.2 – Review the manufacturer‘s established
organizational structure to verify that it includes provisions for responsibilities,
authorities (e.g. management representative), resources, competencies and training
iv) ISO 13485:2003: 5.6 – Verify that management reviews, including a review of the
suitability and effectiveness of the quality system, are being conducted.
v) ISO 13485:2003: 8.2.2 – Verify that internal audits of the quality system are being
conducted including verification of corrective and preventive actions.
In conclusion of the audit of the other subsystems a decision should be made as to
whether top management has taken the appropriate actions to ensure a suitable and
effective quality system is in place.

6.2. Design and Development

GOAL: The purpose of auditing the design and development subsystem is to determine
whether the design process is controlled to ensure that devices meet user needs,
intended uses and specified requirements.
Major Steps: The following major steps serve as a guide in the audit of the “Design and
Development“ subsystem:
i) ISO 13485:2003: 7.1 – Verify if products are subject to design and development
procedures.
ii) Select design project(s) according to the following criteria:
single product focus−
risk− based
based on complaints or known problems−
most recent− project
cover product range−
iii) ISO 13485:2003: 7.3.1 – Review the design plan for the selected project to
understand the layout of the design and development activities, including assigned
responsibilities and interfaces.
iv) ISO 13485:2003: 7.3.1 – For the design project(s) selected, verify that design
control procedures and risk management procedures have been established and
applied.
v) ISO 13485:2003: 7.2.1, 7.3.2 – Confirm that design inputs were established and
address customer functional, performance and safety requirements, intended use,
applicable statutory and regulatory requirements, and other requirements essential
for design and development.
vi) ISO 13485:2003: 7.3.3 – Review device specifications to confirm that design and
development outputs meet design input requirements. Have the design outputs that
are essential for the proper functioning of the device been identified?
vii) ISO 13485:2003: 7.1, 7.3.5 – Confirm that risk analysis and risk control steps are
completed and that the design and development outputs are compatible with the risk
management data.
viii) ISO 13485:2003: 7.3.6 – Determine that the intended use(s) have been identified.
Confirm that design validation data show that the approved design meets the
requirements for the specified application or intended use(s).
ix) ISO 13485:2003: 7.3.6 – Confirm that clinical evaluations and/or evaluation of the
medical device performance were performed if required by national or regional
regulations.
ISO 13485:2003: 7.3.1, 7.3.6. If the device includes software, confirm that the software
was part of the validation.
x) ISO 13485:2003: 7.1, 7.3.5, 7.3.7 – Confirm that design changes were controlled
and verified or where appropriate validated and that design changes have been
addressed by the appropriate risk management steps.
xi) ISO 13485:2003: 7.3.1, 7.3.4 – Confirm that design reviews were conducted.
xii) ISO 13485:2003: 7.3.7 – Confirm that design changes have been reviewed for the
effect on components and product previously made and delivered, and that records of
review results are maintained.
xiii) ISO 13485:2003: 7.3.1 – Determine if the design was correctly transferred to
production. Evaluate the “Design and Development” subsystem for adequacy based on
findings.

6.3. Technical Files

GOAL: The purpose of auditing the technical files is to confirm that the manufacturer
ensures that products will be safe and effective.
Major Steps: The following major steps serve as a guide in the audit of the ”Technical
Files“ subsystem:
i) ISO 13485:2003: 4.2.1d – Verify if there are documents needed by the organization
to ensure planning, operation and control of its processes. Select
documents/documentation for product(s)
according to the following criteria for selection:
- single product focus
- risk based
- based on complaints or known problems
- most recent project
- cover product range
ii) For the product(s) selected verify that documentation includes:
ISO 13485:2003: 7.1, 7.2, 7.3.3
- a general description of the product including intended use(s) and any variants,
accessories, or other devices used in combination with the selected product(s)
- design specifications, including the standards applied, results of risk analysis
- fulfillment of the principal requirements
- techniques used to verify the design and to validate the product(s)
- clinical data
- description of sterilization method and validation – if applicable
- instruction manual(s)
- labeling
- major subcontractors
iii) Evaluate the “Technical Files” subsystem for adequacy based on findings.

6.4. Production Processes

Goal: The purpose of auditing the production process (including testing, infrastructure,
facilities and equipment) is to confirm that manufactured products meet specifications.
Major Steps: The following major steps serve as a guide in the audit of the
“Production Process“ subsystem:
i) ISO 13485:2003: 7.1 – Verify that the product realization processes are planned –
including the controlled conditions.
ii) ISO 13485:2003: 7.1 – Verify that the planning of product realization is consistent
with the requirements of the other processes of the quality management system. Select
one or more processes for review according to the following criteria:
- CAPA indicators of process problems
- risk based: use of the process for manufacturing higher risk products
- degree of risk of the process to cause product failure
- most recent project: the manufacturer’s lack of familiarity and experience with the
process
- use of the process in manufacturing multiple products
- processes not covered during previous audits
Note: For auditing a sterilization process see Appendix 5
iii) ISO 13485:2003: 7.5 – Verify that the processes are controlled and monitored and
operating within specified limits.
iv) ISO 13485:2003: 7.5 – Verify that the equipment used has been adjusted,
calibrated and maintained.
v) ISO 13458:2003: 7.5.2 – Verify that the processes have been validated if the result
of the process cannot be verified.
vi) ISO13485:2003: 4.1, 4.2 – Determine the linkages to other processes
vii) ISO 13485:2003: 6.2.2 – Verify that personnel are appropriately qualified and
trained to implement/maintain the processes
viii) ISO 13485:2003: 6.3, 6.4 – Verify that the infrastructure and the work environment
are adequate
ix) ISO 13485:2003: 7.4.3 – Determine that the verification of purchased products is
adequate
x) ISO 13384:2003: 7.5.2.1 – If the process is software controlled verify that the
software is validated
xi) ISO 13485:2003: 7.6 – Verify that the control of the monitoring and measuring
devices is adequate.
xii) ISO 13485:2003: 7.6, 8.2.4 – Verify that the system for monitoring and measuring
of products is adequate and that the monitoring and measuring devices used are
adequately controlled
xiii) ISO 13485:2003: 8.3 – Verify that the arrangement for control of non-conforming
products is adequate. Evaluate the ”Production Processes“ subsystem for adequacy
based on findings.

6.5. Corrective and Preventive Actions – CAPA

GOAL: The purpose of auditing the CAPA subsystem (including reporting / tracking) is
to confirm that information is collected and analyzed to identify product and quality
problems that these are investigated, and appropriate and effective corrective and
preventive actions are taken.
Major Steps: The following major steps serve as a guide in the audit of the “Corrective
and Preventive Actions - CAPA“ subsystem:
i) ISO 13485:2003: 4.1, 4.2, 8.5 – Verify that CAPA system procedure(s) which
address the requirements of the quality system have been established and
documented.
ii) ISO 13485:2003: 8.4, 8.5 – Verify that the data received by the CAPA subsystem
are complete, accurate and recorded in a timely fashion.
iii) ISO 13485:2003: 8.1, 8.2.3, 8.4 – Determine if appropriate sources of product and
quality problems have been identified, including sources which may show unfavourable
trends. Confirm that data from these sources are analyzed, using valid statistical
methods where appropriate, to identify existing product and quality problems that may
require corrective action.
iv) ISO 13485:2003: 8.5.2 – Determine if failure investigations are conducted to identify
the causes of non-conformities, where possible.
v) ISO 13485:2003: 8.3 – Verify that controls are in place to prevent distribution of
non-conforming products.
vi) ISO 13485:2003: 8.2.3, 8.5.2, 8.5.3 – Confirm that corrective and preventive actions
were implemented, effective, documented and did not adversely affect finished devices.
vii) ISO 13485: 2003: 5.6.3 – Determine if information regarding nonconforming product
and quality problem and corrective and preventive actions has been supplied to
management for management review.
viii) ISO 13485: 2003: 8.5.1 – Verify that medical device reporting is done according to
the applicable regulatory requirements.
ix) ISO 13485: 2003: 7.2.3, 8.2.1 – Confirm that the manufacturer has made effective
arrangements for handling complaints and investigation of advisory notices/recalls with
provision for feed back into the corrective and preventive action subsystem.
Evaluate the ”Corrective and Preventive Actions“ subsystem for adequacy based on
findings.

6.6. Purchasing Control

• This subsystem is a main subsystem for virtual manufacturers
GOAL: The purpose of auditing the purchasing control activities is to ensure that
products, components, materials and services supplied by the subcontractor are in
conformity. This is particularly important when finished products and/or sterilization
services are purchased.
Major Steps: The following major steps serve as a guide in the audit of the Purchasing
Control subsystem:
i) ISO 13485:2003: 7.4.1 – Verify that procedures for conducting supplier evaluations
have been established and are being implemented.
ii) ISO 13485:2003: 7.4.1 – Confirm that the manufacturer evaluates suppliers for their
ability to meet specified requirements.
iii) ISO 13485:2003: 7.4.2 – Confirm that the manufacturer assures the adequacy of
specifications for products and services that suppliers are to provide.
iv) ISO 13485:2003: 7.4.1 – Confirm that records of supplier evaluations are
maintained.
v) ISO 13485:2003: 7.4.3 – Determine that the verification of purchased products is
adequate. Evaluate the ”Purchasing Controls“ subsystem for adequacy based on
findings.

6.7. Documentation and Records

GOAL: The purpose of auditing the records and documentation is to ensure that the
relevant documents are controlled within the manufacturer and that the relevant records
are available to the regulatory body.
Major Steps: The following major steps serve as a guide in the audit of the
Documentation and Records Subsystem:
i) ISO 13485: 2003: 4.2.3, 4.2.4 – Verify that procedures have been established for
the identification, storage, protection, retrieval, retention time and disposition of
documents and records.
ii) ISO 13485:2003: 4.2.3 – Confirm that documents and changes are approved prior to
use.
iii) ISO 13485:2003: 4.2.3 – Confirm that current documents are available where they
are used and that obsolete documents are no longer in use.
iv) ISO 13485:2003: 4.2.1, 4.2.4 – Verify that required documents and records are
being retained for the required length of time. Evaluate the ”Documentation and
Records“ subsystem for adequacy based on findings.
6.8. Customer Requirements
GOAL: The purpose of auditing customer requirements is to ensure that customer
requirements including regulatory requirements are met.
Major Steps: The following major steps serve as a guide in the audit of the Customer
Requirements subsystem.
i) ISO 13485:2003: 7.2.2 – Review product requirements to verify that they address
the intended use as well as customer and regulatory requirements.
ii) ISO 13485:2003: 7.2.2 – Confirm that incoming contracts and orders are reviewed
to assure that any conflicting information is resolved and the manufacturer can fulfil the
customer’s requirements.
iii) ISO 13485:2003: 7.2.3, 8.2.1 – Confirm that the manufacturer has made effective
arrangements for handling communications with customers including documenting
customer feedback to identify quality problems and provide input into the corrective and
preventive action subsystem.
iv) Evaluate the ”Customer Requirements“ subsystem for adequacy based on
findings.